SWITCHED ON
The daily technology series nobody asked for but everyone needed
Locked Out: Cybersecurity, Ransomware, and the Nation-State Hacking Problem
Ransomware shut down a major US fuel pipeline, disrupted hospitals, and brought a global shipping company to its knees. The people doing it operate from countries that will not extradite them. This is the normal state of digital security in 2026.
There are two types of organisations: those that have been hacked, and those that don't know they've been hacked. This has been said so many times in security circles that it has become a cliché. It is also, empirically, correct. The question is not whether your systems will be compromised. It is what happens when they are.
Yesterday we dismantled the "nothing to hide" argument and walked through the surveillance economy — what is actually being collected about you, by whom, through what mechanisms, what GDPR did and did not achieve, and what you can realistically do as an individual in a system where the data collection infrastructure is embedded in the basic operation of the modern internet. Today we are staying in the domain of digital threat but shifting from passive extraction to active attack. Cybersecurity: ransomware as a mature criminal industry, the most consequential breaches of the past decade, what nation-state hacking actually looks like at operational scale, and what separates organisations that survive serious attacks from those that don't. This is not a topic for the paranoid. It is a topic for anyone who uses a computer, runs a business, or relies on services that do.
01 — Ransomware: The Industry Nobody Asked For
Ransomware — malware that encrypts an organisation's files and demands payment for the decryption key — has evolved from a nuisance perpetrated by opportunistic criminals into a mature, professionalised industry with service providers, affiliate networks, customer support desks, and negotiation specialists. Ransomware-as-a-Service, in which criminal groups develop and maintain the technical infrastructure and lease it to affiliates who conduct the actual attacks in exchange for a revenue share, has lowered the barrier to entry for cybercrime to the point where technical sophistication is no longer a prerequisite for a devastating attack.
The scale of the problem is extraordinary. Global ransomware damages — including ransom payments, recovery costs, downtime, and reputational harm — run into the hundreds of billions of dollars annually. The Colonial Pipeline attack in May 2021 encrypted the IT systems of the largest fuel pipeline on the US East Coast, prompting the company to shut down pipeline operations as a precaution, causing fuel shortages across multiple states, and resulting in a ransom payment of approximately $4.4 million in Bitcoin. The attack was conducted by a group called DarkSide, operating a ransomware-as-a-service model, and the vulnerability exploited was a compromised VPN password with no multi-factor authentication. A single exposed credential. Hundreds of millions of dollars in economic damage.
The Colonial Pipeline attack was not conducted by sophisticated nation-state hackers exploiting obscure vulnerabilities. It was conducted by a criminal affiliate group using a stolen password on an account without two-factor authentication. The most consequential cyberattack on US energy infrastructure in history had an embarrassingly mundane root cause.
Hospitals have been among the most targeted and most consequential victims of ransomware. The 2020 attack on Universal Health Services, one of the largest hospital chains in the US, disrupted operations at hundreds of facilities. Staff reverted to paper records. Patient care was delayed. The 2021 attack on Ireland's Health Service Executive shut down IT systems across the entire national health service for weeks. Elective procedures were cancelled. Cancer treatment was delayed. These are not abstract economic damages. They are documented harms to real patients, some of whom died during the disruption.
02 — Nation-State Hacking and What It Actually Looks Like
Criminal ransomware and nation-state hacking are distinct phenomena, though they occasionally overlap in ways that serve the interests of states that want plausible deniability for disruptive operations. Nation-state cyber operations are generally characterised by patience, sophistication, and objectives that go beyond financial gain — intelligence collection, infrastructure disruption, supply chain compromise, and in some cases pre-positioning for future conflict.
The SolarWinds compromise, discovered in December 2020, is the most instructive recent example of sophisticated nation-state operation. Russian intelligence — specifically the SVR, Russia's foreign intelligence service — compromised the build system of SolarWinds, a company whose Orion IT monitoring software was used by approximately 33,000 organisations including multiple US federal agencies, major defence contractors, and Fortune 500 companies. The attackers inserted malicious code into a legitimate software update. When organisations installed the update, they installed the backdoor. The compromise was present in customer environments for months before detection. The attackers moved carefully, prioritising access to high-value targets and avoiding the kind of disruptive activity that would trigger alarm. It was, by any assessment, a masterclass in supply chain compromise.
China's cyber operations have been extensively documented and are characterised by a different set of priorities — long-term intellectual property theft and strategic intelligence collection rather than the disruption-focused operations more characteristic of Russian and North Korean actors. The Office of Personnel Management breach in 2015, attributed to Chinese state-sponsored hackers, exposed the security clearance files of approximately 21 million current and former US government employees and contractors — including polygraph records, foreign contacts, mental health histories, and financial information. The intelligence value of this data, for identifying and recruiting intelligence assets and understanding the US government's most sensitive workforce, was incalculable.
03 — The Vulnerability Ecosystem
Every significant cyberattack exploits a vulnerability — a flaw in software, hardware, or human behaviour that allows an attacker to do something the system was not intended to permit. The ecosystem around vulnerability discovery, disclosure, and exploitation is one of the more morally complex corners of the technology world.
Zero-day vulnerabilities — flaws that are unknown to the software vendor and therefore unpatched — are extraordinarily valuable. Governments, intelligence agencies, and criminal organisations pay large sums for zero-days that can be exploited before the vendor has the opportunity to issue a fix. A zero-day in a widely deployed browser, operating system, or enterprise application can be worth millions of dollars on the grey and black markets. The NSA's Equation Group accumulated an arsenal of zero-days and custom exploitation tools. In 2017, a group calling itself the Shadow Brokers leaked a significant portion of this arsenal online. Several tools from the leak were subsequently weaponised in some of the most destructive cyberattacks in history, including WannaCry and NotPetya.
NotPetya, attributed to Russian military intelligence and deployed against Ukrainian targets in June 2017, spread globally via the same EternalBlue exploit and caused an estimated $10 billion in damages — making it the most economically destructive cyberattack in history. Maersk, the global shipping company, had to reinstall approximately 45,000 PCs and 4,000 servers and rebuild its entire network infrastructure from scratch. FedEx's TNT Express subsidiary was similarly devastated. Neither was the intended target. Both were collateral damage from a weapon built with a US government-discovered vulnerability, leaked by parties unknown, deployed by Russia against Ukraine, and spread indiscriminately across the global internet.
NotPetya is the clearest demonstration that cyberweapons, unlike conventional weapons, do not respect borders. A tool built for a specific target can cause global collateral damage in hours. The implications for the development and stockpiling of offensive cyber capabilities have not been adequately addressed by any government.
04 — The Human Factor
The security industry's persistent uncomfortable truth is that the majority of successful attacks exploit human behaviour rather than sophisticated technical vulnerabilities. Phishing — emails that trick recipients into clicking malicious links or providing credentials — remains the most common initial access vector for both criminal and nation-state attacks. Business email compromise — impersonating executives or suppliers to authorise fraudulent payments — costs organisations billions of dollars annually. Social engineering — manipulating people through deception rather than hacking through code — is frequently more effective than technical exploitation because it targets the most complex and least patchable system in any organisation: its people.
The 2020 Twitter hack, in which attackers compromised the accounts of Barack Obama, Joe Biden, Elon Musk, Bill Gates, Apple, and others to promote a cryptocurrency scam, was not the result of a sophisticated technical exploit. It was the result of a phone call. Attackers called Twitter employees, impersonated IT staff, and convinced them to hand over credentials to internal tools. The entire attack chain ran through social engineering. The most technically secure systems in the world can be bypassed by a convincing phone call to the right person at the right moment.
05 — What Meaningful Defence Actually Requires
The cybersecurity advice landscape is cluttered with products, frameworks, certifications, and consultants, many of which generate more revenue than security. What actually makes a meaningful difference is less glamorous and more consistent than the industry's marketing would suggest.
Multi-factor authentication — requiring a second form of verification beyond a password — is the single most effective control against credential-based attacks, which represent the majority of initial access vectors. It is cheap, widely available, and still not universally implemented. The Colonial Pipeline attack could plausibly have been prevented by MFA on a single VPN account. Regular, tested, offline backups — verified to actually restore — are the most effective mitigation against ransomware, because they eliminate the leverage that encryption creates. Patch management — keeping software updated to close known vulnerabilities — is unglamorous and labour-intensive and prevents a significant proportion of successful attacks. These are not the interesting answers. They are the correct ones.
At the national and international level, the cybersecurity problem has a governance dimension that individual security measures cannot address. Ransomware groups operate from jurisdictions that will not extradite them. North Korea uses state-sponsored hacking to generate foreign currency, making it a regime survival mechanism rather than merely a criminal enterprise. The international norms around acceptable state behaviour in cyberspace are contested, inconsistently applied, and backed by enforcement mechanisms that range from weak to nonexistent. The technical problem of cybersecurity is hard. The geopolitical problem is harder. Neither has a solution that is close to deployment at the required scale.
Tomorrow we are moving from digital threats to digital futures — specifically the question of what the technological singularity actually means, whether artificial general intelligence is coming, when, what it would look like, and whether the people thinking hardest about it are visionaries, catastrophists, or something more complicated than either. See you then.
Switched On is a daily technology series covering AI, social media, data privacy, and the digital forces reshaping modern life — with no corporate spin, no false comfort, and absolutely no mercy for buzzwords.
